git.stella-ops.org/docs/features/unchecked/scanner/dataflow-aware-diffs.md

Dataflow-Aware Diffs (Entrypoint-to-Sink Reachability)

Module

Scanner

Status

IMPLEMENTED

Description

Semantic entrypoint orchestrator with dataflow boundary analysis, data boundary mapping, and service security dataflow analyzer for entrypoint-to-sink reachability.

Implementation Details

• Semantic Entrypoint Orchestrator:
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypointOrchestrator.cs - Orchestrates semantic entrypoint analysis across languages
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ISemanticEntrypointAnalyzer.cs - Interface for semantic analysis
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntryTraceAnalyzer.cs - Trace analyzer for dataflow
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticEntrypoint.cs - Entrypoint model
• Data Boundary Analysis:
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/DataBoundaryMapper.cs - Maps data flow boundaries
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/DataFlowBoundary.cs - Data flow boundary model
• Capability & Threat Detection:
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/CapabilityDetector.cs - Detects capabilities (network, file, crypto, etc.)
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Analysis/ThreatVectorInferrer.cs - Infers threat vectors from entrypoint-to-sink paths
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/CapabilityClass.cs - Capability class model
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ThreatVector.cs - Threat vector model
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/ApplicationIntent.cs - Application intent model
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/SemanticConfidence.cs - Confidence scoring
• Language Adapters:
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/DotNetSemanticAdapter.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/JavaSemanticAdapter.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/NodeSemanticAdapter.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/PythonSemanticAdapter.cs
  • src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/Adapters/GoSemanticAdapter.cs
• Service Security: src/Scanner/__Libraries/StellaOps.Scanner.ServiceSecurity/ - Service-level dataflow security analysis

E2E Test Plan

• Scan a container image with a web application and verify entrypoint-to-sink dataflow paths are detected
• Verify DataBoundaryMapper identifies data flow boundaries (e.g., user input -> database, network -> filesystem)
• Verify CapabilityDetector identifies application capabilities (network access, file I/O, crypto usage)
• Verify ThreatVectorInferrer infers threat vectors from detected dataflow paths
• Verify language-specific semantic adapters work for .NET, Java, Node.js, Python, and Go applications
• Verify dataflow-aware diff results appear in the scan report